Haskell For Kids: Web-Based Environment Goes Public!

Last time, I described my work on a web-based programming environment for Haskell and Gloss, which is available from github as the gloss-web project. Now you can try it online without having to install it yourself! Here’s the URL:

It seems to work fine at least with Chrome, Firefox, and Safari on Linux and Windows. Internet Explorer (even 9) is known NOT to work.

What’s New

I’ve made a few changes to the code and fixed a number of bugs from Sunday’s late-night coding sprint, but the biggest change was to enable use of the SafeHaskell extension. It’s now impossible to circumvent the type system and run arbitrary code on the server. Evidence:

Note that there are still no resource or CPU time limits, so there are no protections against writing infinite loops or infinite data structures, so it’s still possible to use the server to run a denial of service attack against itself. Please don’t do that. I already know you can, and it’s really just not cool. I’ve installed the server on a dedicated otherwise-empty machine I set up and installed for this purpose, so the only people you’ll really be hurting are other programmers like yourself who want to try this demo.

Want a non-trivial example to try it with? Your wish is my command; here’s the simple one I’ve been playing around with as I develop the server:

You can find complete documentation for the gloss package, of course, at http://hackage.haskell.org/package/gloss. Note that the server currently only implements the equivalent of displayInWindow, and rather than using the I/O action (which you can’t do, since SafeHaskell won’t let you do anything but purely functional code), you just define a top-level symbol called “picture” in your module.

Thoughts on SafeHaskell

Overall, I’m thrilled to have the SafeHaskell stuff in GHC. It just has so many potential uses… it’s Java-style sandboxing, but at compile time!

There is one thing that confuses me, though… in order to get this working, I had to patch the gloss library to add “Trustworthy” declarations. This is not ideal, for two reasons:

There are plenty of Haskell modules out there that GHC could easily prove are safe: if nothing else, just try to build them with the Safe extension, and if it fails, try again without it. The vast, vast majority of Haskell packages would pass this test, and become available for use in safe code. But that doesn’t seem to be what happens. A module isn’t considered safe unless it’s explicitly specified to be safe, at compile time. That greatly reduces the amount of code it’s possible to use from safe code, and sets up a huge obstacle in the way of getting a usable safe code ecosystem.

Even worse, in order to make this feasible at all, I had to declare gloss not just safe, but trustworthy. I really shouldn’t have done that, since I haven’t vetted all of the gloss code to ensure that it doesn’t let you do bad stuff. I really wanted GHC to assume that proof obligation, but instead I did myself. Why? Well, if I’d made it safe, I would have had to declare this for only certain modules (a much more intrusive change) and transitively go modify and rebuild all the pure code that gloss depends on, and so on down the dependency tree.

Perhaps I missed something, but if GHC is missing the opportunity to decide for itself when a module is safe, that’s a real shame, and something that will stand as an obstacle in the way of plenty of much more interesting and grander uses of SafeHaskell.

I just use WordPress’s built-in editor, and hit indent and then change the style to “preformatted”. Unless you mean the syntax highlighted code above… that’s a screen shot! It’s Chromium running the Ace editor with the Haskell mode I wrote for it on Sunday.

Gave preformatted a try, but it doesn’t get the nice light gray box on my blog, probably because I am using a different WP blog template. Thanks for the info, either way. Please delete my two comments so that this post’s comment section does not get cluttered.

Duncan Coutts / Aug 16 2011 12:25 pm

I think you’ve misunderstood the Safe extension. You don’t need to mark your modules with Trustworthy, you should make them as Safe. That way GHC will check that they really are safe. The Trustworthy extension is the escape hatch mechanism, it lets you claim things are safe when internally they use unsafe features.

Summary:

* Safe means “please GHC check that I’m sticking to the safe subset of the language and libraries”
* Trustworthy means “really GHC, I know I’m using unsafePerformIO but the external interface is pure, honest!”

No, I understand that… the code I’m compiling from the user is marked as safe; gloss itself is marked as trustworthy.

What I object to is being (for all practical purposes) forced to mark the gloss library as trustworthy. I *wish* that I could let GHC assume the proof burden that it’s safe, too! But then I’d need to not just modify gloss, but recursively go modify and build new versions of all the libraries that *it* depends on too, and so on ad nauseum, until I am maintaining locally modified versions of basically all libraries except for base (and only that because the Safe / Trustworthy annotations are already done). So practically speaking, I have to just mark gloss as trustworthy to avoid potentially days of pointless and meaningless grunt work.

That has two consequences: (1) I’m assuming responsibility for gloss, so if gloss were to expose something unsafe, it’d be my fault and GHC isn’t checking, and (2) it means you can only use gloss because I’ve locally patched it, whereas I really want people to be able to use purely combinatorial modules without worries, and let GHC prove their safety. Basically, I want GHC to stop requiring the Safe annotation, and instead *always* store safety information. If anything, maybe it could be a “way” or something, which I could enable in cabal-install and apply to everything I install. Of course, Trustworthy would have to remain as an annotation.

Sorry if quoting came across as offensive, praps I should have rewritten it. I’ve just started using Hood to animate some simple algorithms.be used with Hood. Do you have any ideas or plans in this direction? And thanks for a couple of years of extremely helpful blog posts.